First off, if you are reading this blog and wondering what OpenVAS is, take a look at their website.
OpenVAS product is a vulnerability scanner. OpenVAS does much of the same things that Nessus does, Nessus split away from the original code base years ago and provides a paid version. Nessus is a great alternative to OpenVAS if you have the budget for using it, or are not technically savvy in Linux management.
I have been utilizing for client scanning for a few months now and have learned a few key lessons that I want to share that may prevent lost productivity.
The first key lesson – There is no automatic way to do anything in OpenVAS, unless you script, program, or configure it. for example: I want to schedule a nightly update to the security feed. the security feed needs to be written as a script, then scheduled with the linux cron job. I found a resource that assisted me in creating my first automation written by Calvyn Du Toit, not everything worked exactly in Ubuntu 18.04, but it was very close and helped me make an daily security feed update that works. Check out the blog I wrote that took Calvyn’s information and made is specific to Ubuntu 18.04
The second lesson – Don’t install this product on your daily use computer. I made that mistake and learned a few valuable lessons. When the computer is updated and restarted (I do this daily) and there is a current Vulnerability Scan running at the time of restart, it causes the scanner portion of the product to not work properly on restart. Each time this happens I need to perform a sudo redis-cli -s /var/run/redis/redis.sock flushall that returns OK, then run a sudo systemctl start openvas-scanner to start the scanner. My advice is to pick a stable system that you can utilize and run scans and not restart the system frequently.
The third lesson – Don’t be over zealous in settings. For example, I initially used the port list “All TCP and Nmap 5.51 top 1000 UDP” option. I also used the scan config “Full and very deep ultimate”. This combined with a low hosts scanned number and low scanned NVTs per host. The settings mentioned made for an interesting 7 day wait for the scan to complete.
Vulnerability Scanning is only good for the specific days that it was run on. The next vulnerability that is published that affects systems that are running on your network make it obsolete. But the good news is it is great at finding computers, servers, NAS devices, IP phones, Wifi that may have been installed on your network without your knowledge. It is also good for finding vulnerable systems that may have just gotten over looked, forgotten or abandoned.
In conclusion, I am very pleased with how the scanner functions. I have found and mitigated many vulnerabilities, more importantly, I have found systems that were not documented and being missed in patch the patching process. Having multiple version of Java installed is one of the more common vulnerabilities that I have found on systems using it. OpenVAS is a great tool especially when it is combined with other tools like web vulnerability scanners or Wifi scanners to assess the security posture of an organization.